thr3ads.net - LARTC - NAT & IMQ [Aug 2002]

If this information is useful, please help other people find it:
Share via:

Daniel Sercaianu

2002-Aug-10 17:11 UTC

NAT & IMQ

I have the following problems:
I cannot shape the ip xxx.xxx.xxx.xxx when I do SNAT or MASQUERADE with
them. Otherwise when I remove these two iptables lines the shaping works
perfectly.

It is very important for me to shape the xxx.xxx.xxx.xxx ip and not the
yyy.yyy.yyy.yyy. When I tried to shape yyy.yyy.yyy.yyy, it worked.

What rules should be added to make this possible?


My iptables rules are:

iptables -A PREROUTING -t mangle -s xxx.xxx.xxx.xxx -j MARK  --set-mark 1
iptables -A POSTROUTING -t nat -s xxx.xxx.xxx.xxx -j SNAT --to  zzz.zzz.zzz.zzz
-o eth4



iptables -t mangle -I PREROUTING -j IMQ
ip link set imq0 up


ip rule shows the following output:

32764:  from zzz.zzz.zzz.0/24 lookup ew
32765:  from all fwmark        1 lookup ew
32766:  from all lookup main
32767:  from all lookup default




My tc + htb rule look like this:

/sbin/tc qdisc add dev imq0 root handle 1: htb default 200 r2q 3
/sbin/tc class add dev imq0 parent 1:0 classid 1:1 htb rate 100Mbit ceil 100Mbit
burst 2k prio 5

/sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 5 handle 1: u32 divisor
256

/sbin/tc class add dev imq0 parent 1:1 classid 1:2 htb rate 512kbit ceil 512kbit
burst 2k prio 5
/sbin/tc qdisc add dev imq0 parent 1:2 handle 10: sfq quantum 1514b perturb 10
/sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 5 u32 match ip dst
xxx.xxx.xxx.xxx flowid 1:2


/sbin/tc filter add dev imq0 parent 1:0 prio 5 handle ::1 u32 ht 800:: \
  match ip nofrag \
  offset mask 0x0F00 shift 6 \
  hashkey mask 0x00ff0000 at 8 link 1:



Daniel Sercaianu
Terranet Virtual Media
sdan@terranet.ro
GSM +40 788 837723


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Patrick McHardy

2002-Aug-11 13:39 UTC

head link

Re: NAT & IMQ

Hi Daniel,

Daniel Sercaianu wrote:
> I have the following problems:
> I cannot shape the ip xxx.xxx.xxx.xxx when I do SNAT or MASQUERADE with
> them. Otherwise when I remove these two iptables lines the shaping works
> perfectly.
> 
> It is very important for me to shape the xxx.xxx.xxx.xxx ip and not the
> yyy.yyy.yyy.yyy. When I tried to shape yyy.yyy.yyy.yyy, it worked.
> 
> What rules should be added to make this possible?
> 
> 
> My iptables rules are:
> 
> iptables -A PREROUTING -t mangle -s xxx.xxx.xxx.xxx -j MARK  --set-mark 1
> iptables -A POSTROUTING -t nat -s xxx.xxx.xxx.xxx -j SNAT --to 
zzz.zzz.zzz.zzz -o eth4
> 
> 
> 
> iptables -t mangle -I PREROUTING -j IMQ
> ip link set imq0 up
> 
> 
> ip rule shows the following output:
> 
> 32764:  from zzz.zzz.zzz.0/24 lookup ew
> 32765:  from all fwmark        1 lookup ew
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> 
> 
> 
> My tc + htb rule look like this:
> 
> /sbin/tc qdisc add dev imq0 root handle 1: htb default 200 r2q 3
> /sbin/tc class add dev imq0 parent 1:0 classid 1:1 htb rate 100Mbit ceil
100Mbit burst 2k prio 5
> 
> /sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 5 handle 1: u32
divisor 256
> 
> /sbin/tc class add dev imq0 parent 1:1 classid 1:2 htb rate 512kbit ceil
512kbit burst 2k prio 5
> /sbin/tc qdisc add dev imq0 parent 1:2 handle 10: sfq quantum 1514b perturb
10
> /sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 5 u32 match ip dst
xxx.xxx.xxx.xxx flowid 1:2

If i understood you right this is probably not working because imq sees 
packets before zzz.zzz.zzz.zzz is dnated back to xxx.xxx.xxx.xxx. please 
try the attached patch.


bye

patrick

Patrick McHardy

2002-Aug-11 13:44 UTC

head link

Re: NAT & IMQ

sorry last patch was broken, this one is ok.
patrick

Patrick McHardy wrote:
> Hi Daniel,
> 
> Daniel Sercaianu wrote:
> 
>> I have the following problems:
>> I cannot shape the ip xxx.xxx.xxx.xxx when I do SNAT or MASQUERADE with
>> them. Otherwise when I remove these two iptables lines the shaping
works
>> perfectly.
>>
>> It is very important for me to shape the xxx.xxx.xxx.xxx ip and not the
>> yyy.yyy.yyy.yyy. When I tried to shape yyy.yyy.yyy.yyy, it worked.
>>
>> What rules should be added to make this possible?
>>
>>
>> My iptables rules are:
>>
>> iptables -A PREROUTING -t mangle -s xxx.xxx.xxx.xxx -j MARK  --set-mark
1
>> iptables -A POSTROUTING -t nat -s xxx.xxx.xxx.xxx -j SNAT --to  
>> zzz.zzz.zzz.zzz -o eth4
>>
>>
>>
>> iptables -t mangle -I PREROUTING -j IMQ
>> ip link set imq0 up
>>
>>
>> ip rule shows the following output:
>>
>> 32764:  from zzz.zzz.zzz.0/24 lookup ew
>> 32765:  from all fwmark        1 lookup ew
>> 32766:  from all lookup main
>> 32767:  from all lookup default
>>
>>
>>
>>
>> My tc + htb rule look like this:
>>
>> /sbin/tc qdisc add dev imq0 root handle 1: htb default 200 r2q 3
>> /sbin/tc class add dev imq0 parent 1:0 classid 1:1 htb rate 100Mbit 
>> ceil 100Mbit burst 2k prio 5
>>
>> /sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 5 handle 1: 
>> u32 divisor 256
>>
>> /sbin/tc class add dev imq0 parent 1:1 classid 1:2 htb rate 512kbit 
>> ceil 512kbit burst 2k prio 5
>> /sbin/tc qdisc add dev imq0 parent 1:2 handle 10: sfq quantum 1514b 
>> perturb 10
>> /sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 5 u32 match 
>> ip dst xxx.xxx.xxx.xxx flowid 1:2
> 
> 
> 
> If i understood you right this is probably not working because imq sees 
> packets before zzz.zzz.zzz.zzz is dnated back to xxx.xxx.xxx.xxx. please 
> try the attached patch.
> 
> 
> bye
> 
> patrick
> 
> 
> ------------------------------------------------------------------------
> 
> --- imq.c.orig	Sun Aug 11 15:30:24 2002
> +++ imq.c	Sun Aug 11 15:31:17 2002
> @@ -37,7 +37,7 @@
>  	imq_nf_hook,
>  	PF_INET,
>  	NF_IP_PRE_ROUTING,
> -	NF_IP_PRI_MANGLE + 1
> +	NF_IP_PRI_NAT_DST + 1
>  };
>  
>  static struct nf_hook_ops imq_egress_ipv4 = {
> @@ -54,7 +54,7 @@
>  	imq_nf_hook,
>  	PF_INET6,
>  	NF_IP6_PRE_ROUTING,
> -	NF_IP6_PRI_MANGLE + 1
> +	NF_IP6_PRI_NAT_SRC + 1
>  };
>  
>  static struct nf_hook_ops imq_egress_ipv6 = {
>

Daniel Sercaianu

2002-Aug-11 14:53 UTC

head link

Re: NAT & IMQ

Yes, I think you are wright.
	I will it try as soon I get the chance, because these are on a
working server (router) which cannot be rebooted.
Temporarilly I solved the problem by applying the download shapers to the
wright eth.

Thanx,


Daniel Sercaianu
Terranet Virtual Media
sdan@terranet.ro
GSM +40 788 837723


On Sun, 11 Aug 2002, Patrick McHardy wrote:
> sorry last patch was broken, this one is ok.
> patrick
>
> Patrick McHardy wrote:
>
> > Hi Daniel,
> >
> > Daniel Sercaianu wrote:
> >
> >> I have the following problems:
> >> I cannot shape the ip xxx.xxx.xxx.xxx when I do SNAT or MASQUERADE
with
> >> them. Otherwise when I remove these two iptables lines the shaping
works
> >> perfectly.
> >>
> >> It is very important for me to shape the xxx.xxx.xxx.xxx ip and
not the
> >> yyy.yyy.yyy.yyy. When I tried to shape yyy.yyy.yyy.yyy, it worked.
> >>
> >> What rules should be added to make this possible?
> >>
> >>
> >> My iptables rules are:
> >>
> >> iptables -A PREROUTING -t mangle -s xxx.xxx.xxx.xxx -j MARK 
--set-mark 1
> >> iptables -A POSTROUTING -t nat -s xxx.xxx.xxx.xxx -j SNAT --to
> >> zzz.zzz.zzz.zzz -o eth4
> >>
> >>
> >>
> >> iptables -t mangle -I PREROUTING -j IMQ
> >> ip link set imq0 up
> >>
> >>
> >> ip rule shows the following output:
> >>
> >> 32764:  from zzz.zzz.zzz.0/24 lookup ew
> >> 32765:  from all fwmark        1 lookup ew
> >> 32766:  from all lookup main
> >> 32767:  from all lookup default
> >>
> >>
> >>
> >>
> >> My tc + htb rule look like this:
> >>
> >> /sbin/tc qdisc add dev imq0 root handle 1: htb default 200 r2q 3
> >> /sbin/tc class add dev imq0 parent 1:0 classid 1:1 htb rate
100Mbit
> >> ceil 100Mbit burst 2k prio 5
> >>
> >> /sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 5 handle
1:
> >> u32 divisor 256
> >>
> >> /sbin/tc class add dev imq0 parent 1:1 classid 1:2 htb rate
512kbit
> >> ceil 512kbit burst 2k prio 5
> >> /sbin/tc qdisc add dev imq0 parent 1:2 handle 10: sfq quantum
1514b
> >> perturb 10
> >> /sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 5 u32
match
> >> ip dst xxx.xxx.xxx.xxx flowid 1:2
> >
> >
> >
> > If i understood you right this is probably not working because imq
sees
> > packets before zzz.zzz.zzz.zzz is dnated back to xxx.xxx.xxx.xxx.
please
> > try the attached patch.
> >
> >
> > bye
> >
> > patrick
> >
> >
> >
------------------------------------------------------------------------
> >
> > --- imq.c.orig	Sun Aug 11 15:30:24 2002
> > +++ imq.c	Sun Aug 11 15:31:17 2002
> > @@ -37,7 +37,7 @@
> >  	imq_nf_hook,
> >  	PF_INET,
> >  	NF_IP_PRE_ROUTING,
> > -	NF_IP_PRI_MANGLE + 1
> > +	NF_IP_PRI_NAT_DST + 1
> >  };
> >
> >  static struct nf_hook_ops imq_egress_ipv4 = {
> > @@ -54,7 +54,7 @@
> >  	imq_nf_hook,
> >  	PF_INET6,
> >  	NF_IP6_PRE_ROUTING,
> > -	NF_IP6_PRI_MANGLE + 1
> > +	NF_IP6_PRI_NAT_SRC + 1
> >  };
> >
> >  static struct nf_hook_ops imq_egress_ipv6 = {
> >
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

LARTC - Aug 2002 - NAT & IMQ

NAT & IMQ

Re: NAT & IMQ

Re: NAT & IMQ

Re: NAT & IMQ